Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel.
Hi,
I had some issues with docker containers running debian 9, I was not able to connect to services that were using Lets Encrypt certs from those containers, strange enough update-ca-certificates --fresh from inside container didn't help. Deleting docker images and recreating from scratch made everything work again. Host was running Ubuntu 20 and it had no problem at all, I was able to connect to the same services from the host without any manipulations on the host.
Jurijs
On Fri, Oct 1, 2021 at 10:06 PM Joel Serrano joel@textplus.com wrote:
Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio related? Some old firmware EOL Yealink phones stopped trusting Lets Encrypt issued cert. Some old softphones as well.
Otherwise, Postman refusing to connect, they pushed an update earlier today.
Overall, it was "fun".
Cheers, --Sergiu
On Fri, Oct 1, 2021 at 3:12 PM Jurijs Ivolga jurijs.ivolga@gmail.com wrote:
Hi,
I had some issues with docker containers running debian 9, I was not able to connect to services that were using Lets Encrypt certs from those containers, strange enough update-ca-certificates --fresh from inside container didn't help. Deleting docker images and recreating from scratch made everything work again. Host was running Ubuntu 20 and it had no problem at all, I was able to connect to the same services from the host without any manipulations on the host.
Jurijs
On Fri, Oct 1, 2021 at 10:06 PM Joel Serrano joel@textplus.com wrote:
Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello,
in total we had three customer incidents (two server related, one client related) because of this, one of them was a major incident.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of Joel Serrano Sent: Friday, October 1, 2021 9:05 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Let's Encrypt DST Root CA X3 cert CA expiration 30th/Sept - Any issues?
Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel.
Hey there,
I have this, as per documentation, that I assume is going to push out the publish events real-time as that is what the docs indicate...
===
event_route[xhttp:request] {
$var(call-id) = $(rb{json.parse,Call-ID}); if ($(rb{json.parse,Event-Package}) == "dialog") { xlog("L_INFO", "$var(call-id)|log|received $(rb{json.parse,Event-Package}) update for $(rb{json.parse,From})"); pua_json_publish($rb); } }
===
Problem is, it does NOT send out a notification - the BLFs do not change UNTIL the devices do a re-subscribe....
Does anyone know what I am missing?
Thanks In Advance.... Jerry
Hey there Kamailio Users....
I have followed the guidance of: https://kamailio.org/docs/modules/5.1.x/modules/tm.html
I have created a dial code '8888' and will change the URI and add a few others...
------------
request_route {
if($rU=~"^8888$") { seturi("sip:a@example.com"); append_branch("sip:b@example.com"); append_branch("sip:c@example.com"); append_branch("sip:d@example.com"); t_relay(); } } -----------------
It works great BUT....
There no PUBLISH events sent out, as a result, no BLFs flash,etc...
Also, no audio on the line when I pick up the phone.
If I call the dest directly, everything works as expected..
Any ideas?
Jerry
Hey there,
Is there a way to add a new branch to a call in the onreply_route if the result is a redirect?
OpenSIPS has this 't_inject_branches()' function that allows you to add another branch to an existing transaction...if needed...
Is there some mechanism to do this in Kamailio?
Any ideas? Jerry
Can you attach a sip subscribe message and json payload ($rb) which you expect to send a notify to the subscribe?
On Fri, Oct 8, 2021 at 11:49 AM Jerry Kendall < Jerry.Kendall@bishophosting.com> wrote:
Hey there,
I have this, as per documentation, that I assume is going to push out the publish events real-time as that is what the docs indicate...
===
event_route[xhttp:request] {
$var(call-id) = $(rb{json.parse,Call-ID}); if ($(rb{json.parse,Event-Package}) == "dialog") { xlog("L_INFO", "$var(call-id)|log|received $(rb{json.parse,Event-Package}) update for $(rb{json.parse,From})"); pua_json_publish($rb); } }
===
Problem is, it does NOT send out a notification - the BLFs do not change UNTIL the devices do a re-subscribe....
Does anyone know what I am missing?
Thanks In Advance.... Jerry
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Some of our internal API have started to fail and most of software update routines jammed up as a result until we figured out how to cope with that issue.
Not the first one and certainly not the last. In general PKI/TLS is by design prone to issues like this and I am sad industry has not come up with anything better yet to communicate over insecure channels. :( Noise protocol certainly holds lots of potential in my view but mills of IETF mill slowly, so we are going to be suffering for many years to come I am afraid.
-Max
On Fri., Oct. 8, 2021, 8:23 a.m. Henning Westerholt, hw@skalatan.de wrote:
Hello,
in total we had three customer incidents (two server related, one client related) because of this, one of them was a major incident.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* sr-users sr-users-bounces@lists.kamailio.org *On Behalf Of *Joel Serrano *Sent:* Friday, October 1, 2021 9:05 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Let's Encrypt DST Root CA X3 cert CA expiration 30th/Sept - Any issues?
Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Like our comrades at APIBAN. Had to patch the CA list on older linux distros to get this restarted.
Oct 8 10:20:21 kamailio[8476]: WARNING: http_client [functions.c:308]: curL_request_url(): TLS server certificate validation error (No valid CA cert) (url: https://apiban.org/api/...)
@Fred, all good out there bud? lol
On Fri, Oct 8, 2021 at 12:30 PM Maxim Sobolev sobomax@sippysoft.com wrote:
Some of our internal API have started to fail and most of software update routines jammed up as a result until we figured out how to cope with that issue.
Not the first one and certainly not the last. In general PKI/TLS is by design prone to issues like this and I am sad industry has not come up with anything better yet to communicate over insecure channels. :( Noise protocol certainly holds lots of potential in my view but mills of IETF mill slowly, so we are going to be suffering for many years to come I am afraid.
-Max
On Fri., Oct. 8, 2021, 8:23 a.m. Henning Westerholt, hw@skalatan.de wrote:
Hello,
in total we had three customer incidents (two server related, one client related) because of this, one of them was a major incident.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* sr-users sr-users-bounces@lists.kamailio.org *On Behalf Of *Joel Serrano *Sent:* Friday, October 1, 2021 9:05 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Let's Encrypt DST Root CA X3 cert CA expiration 30th/Sept - Any issues?
Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
A client had Digium phones that hated the expired part of the cert as well. Had to hack out the cross-signing to make them happy.
On Fri, Oct 8, 2021 at 12:49 PM Sergiu Pojoga pojogas@gmail.com wrote:
Like our comrades at APIBAN. Had to patch the CA list on older linux distros to get this restarted.
Oct 8 10:20:21 kamailio[8476]: WARNING: http_client [functions.c:308]: curL_request_url(): TLS server certificate validation error (No valid CA cert) (url: https://apiban.org/api/...)
@Fred, all good out there bud? lol
On Fri, Oct 8, 2021 at 12:30 PM Maxim Sobolev sobomax@sippysoft.com wrote:
Some of our internal API have started to fail and most of software update routines jammed up as a result until we figured out how to cope with that issue.
Not the first one and certainly not the last. In general PKI/TLS is by design prone to issues like this and I am sad industry has not come up with anything better yet to communicate over insecure channels. :( Noise protocol certainly holds lots of potential in my view but mills of IETF mill slowly, so we are going to be suffering for many years to come I am afraid.
-Max
On Fri., Oct. 8, 2021, 8:23 a.m. Henning Westerholt, hw@skalatan.de wrote:
Hello,
in total we had three customer incidents (two server related, one client related) because of this, one of them was a major incident.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* sr-users sr-users-bounces@lists.kamailio.org *On Behalf Of *Joel Serrano *Sent:* Friday, October 1, 2021 9:05 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Let's Encrypt DST Root CA X3 cert CA expiration 30th/Sept - Any issues?
Hello,
I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert?
Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause.
Anyone out there had any issues yesterday because of this? I'm just curious!
Joel. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On 10/8/21 1:49 PM, Sergiu Pojoga wrote:
Like our comrades at APIBAN. Had to patch the CA list on older linux distros to get this restarted.
Oct 8 10:20:21 kamailio[8476]: WARNING: http_client [functions.c:308]: curL_request_url(): TLS server certificate validation error (No valid CA cert) (url: https://apiban.org/api/.. https://apiban.org/api/...)
@Fred, all good out there bud? lol
The only problems I'm seeing are on local systems that don't trust the cert as the apiban cert is valid. If the system has the updated CA, the request will work.
"if clients of your API are using OpenSSL, they must use version 1.1.0 or later"
Fred Posner | palner.com Matrix: @fred:matrix.lod.com o: +1 (212) 937-7844
Here we had problems with clients using an Auerswald PBX showing the following error message:
503: Certificate Validation Failure SSL-Error 10: certificate has expired, depth=3 /O=Digital Signature Trust Co./CN=DST Root CA X3 )
Regards, Matthias
On 08.10.21 19:49, Sergiu Pojoga wrote:
Like our comrades at APIBAN. Had to patch the CA list on older linux distros to get this restarted.
Oct 8 10:20:21 kamailio[8476]: WARNING: http_client [functions.c:308]: curL_request_url(): TLS server certificate validation error (No valid CA cert) (url: https://apiban.org/api/.. https://apiban.org/api/...)
@Fred, all good out there bud? lol
On Fri, Oct 8, 2021 at 12:30 PM Maxim Sobolev <sobomax@sippysoft.com mailto:sobomax@sippysoft.com> wrote:
Some of our internal API have started to fail and most of software update routines jammed up as a result until we figured out how to cope with that issue. Not the first one and certainly not the last. In general PKI/TLS is by design prone to issues like this and I am sad industry has not come up with anything better yet to communicate over insecure channels. :( Noise protocol certainly holds lots of potential in my view but mills of IETF mill slowly, so we are going to be suffering for many years to come I am afraid. -Max On Fri., Oct. 8, 2021, 8:23 a.m. Henning Westerholt, <hw@skalatan.de <mailto:hw@skalatan.de>> wrote: Hello, in total we had three customer incidents (two server related, one client related) because of this, one of them was a major incident. Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/> Kamailio services – https://gilawa.com <https://gilawa.com/> *From:* sr-users <sr-users-bounces@lists.kamailio.org <mailto:sr-users-bounces@lists.kamailio.org>> *On Behalf Of *Joel Serrano *Sent:* Friday, October 1, 2021 9:05 PM *To:* Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org>> *Subject:* [SR-Users] Let's Encrypt DST Root CA X3 cert CA expiration 30th/Sept - Any issues? Hello, I'm wondering if anyone had any issues yesterday with the expiration of the DST Root CA X3 cert? Out of all the servers I manage, only a couple were affected (debian 8). They were production servers so we replaced the cert with a different one to solve the issue while we find the root cause. Anyone out there had any issues yesterday because of this? I'm just curious! Joel. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
E. Schmidbauer -
Fred Posner -
Henning Westerholt -
James Van Vleet -
Jerry Kendall -
Joel Serrano -
Jurijs Ivolga -
Matthias Wimmer -
Maxim Sobolev -
Sergiu Pojoga